Microsoft Defender XDR Components

(1) XDR (Extended Detection and Response) — What does it do?

• Monitors data from endpoint devices, firewalls and cloud applications.
• Endpoint devices such as…

        (1) smartphones
        (2) tablets
        (3) desktops
        (4) virtual machines
        (5) servers
        (6) embedded smart appliances
        (7) Internet of things such as security systems, 
        cameras and thermostats


Data collected
        (1) process activity
        (2) network activity
        (3) kernel and memory usage
        (4) login activities
        (5) registry changes
        (6) file changes etc.

• Corelates alerts from different data sources to create a complete view of the security incident.
• Uses data analytics and machine learning (AI tools) to detect system threats.
• Provides option to auto resolve malicious activities and documents steps taken to isolate a threat.

(2) Components of Microsoft XDR

• Microsoft Defender for Identity

Uses Entra ID service signals to detect and investigate threats, 
compromised identities, and malicious insider actions directed at 
organizations.

• Microsoft Defender for Endpoint

Uses endpoint services in devices (e.g. Microsoft Defender Antivirus in 
Windows 11) to gather behavioral signals. The signals are analyzed and 
translated into insights with recommended responses to advanced threats.

• Microsoft Defender for Office 365

Email filtering service that protects against malware. The protection 
includes real time safeguard of users clicking on harmful links.

• Microsoft Defender for Cloud Apps

A cloud access security broker (CASB) that screens data communication 
between enterprise users and cloud services. It provides visibility of 
all cloud services, maintains data security, identifies threat, and adheres 
to user privacy (e.g. compliance standards PCI DSS).

(3) Microsoft Sentinel Integration

• Is a Security Information and Event Management (SIEM) service that can be integrated with Microsoft Defender XDR to collect endpoint data.
• The SIEM tool becomes the main data store for analyzing data of Microsoft Defender XDR and other cloud or on-premise systems.

(4) Microsoft Security Copilot

• Is a AI prompt tool built using specialized Large Language Model (LLM).
• The specialized LLM provides security insights aggregated through plugins (data and signals) from Microsoft Defender XDR, Microsoft Sentinel, Microsoft Intune, and Microsoft Defender Threat Intelligence.